Description

This extension bridge the old XWikiAuthService with the new component architecture of XWiki. It is oriented to ease the development of trusted authenticators by using configurable adapter components, that bridge the effective trusted authentication with a generic authenticator. Out of the box, you get user creation, configurable user properties synchronization and group membership synchronization.

Some default adapters will be provided over time, actually starting with a reimplementation of the headers authenticator.

Trusted authenticator API

The general behavior of the trusted authentication is:

If persistent store is trusted and not null, return the already authenticated user

getUserId() from the adapter:

if user is null, return with public access

else compute the user profile reference from getUserName(), replacing . by = and @ by _

if user is found in persistence store, return that authenticated user

else, check user for existance:

if the user exists, synchronize user properties and group membership

else create user and synchronize group membership

stores the authenticated user to persistence store and returns it

Currently, it is mandatory that getUserId() and getUserName() returns the exact same value. In a future version it is expected that only getUserId() should be unique, and getUserName() a more meaningful value that may have duplicates, without causing confusions.

General configuration

xwiki.cfg file

#-# Define the hint of the TrustedAuthenticationAdapter that should be used for providing the effective#-# trusted authentication. This parameter is mandatory.#-# Here is an example for the HeadersTrustedAuthenticationAdapter:xwiki.authentication.trusted.adapterHint=headers

#-# Define the hint of the AuthenticationPersistenceStore that will be used to persist authentication between#-# requests. The default is to use the SessionAuthenticationPersistenceStore, which will store authentication#-# information into the Servlet container session. #-# Another option is to use the CookieAuthenticationPersistenceStore (hint: cookie), that will store the#-# information into an encrypted cookie. The cookie prefix, domain, path and encryption is customizable using the#-# same configuration as the standard authentication services (xwiki.authentication.cookieprefix, #-# xwiki.authentication.cookiepath, xwiki.authentication.cookiedomains and xwiki.authentication.encryptionKey)# xwiki.authentication.trusted.persistenceStoreHint=session

#-# By default the persistence store is not trusted, but only used to optimize the synchronization process.#-# If the authentication process is time consuming, you may improve performance by trusting the authentication#-# provided by the persistence store without requesting the external authentication, simply uncomment: # xwiki.authentication.trusted.isPersistenceStoreTrusted=true

#-# Only used with the Cookie persistence store, allow setting the cookie Time To Live in seconde to keep #-# persistence between browser restart. The default is to use a session cookie.#-# Here is an example using a 1 day TTL, which means the persistence is kept for 1 day after last response.#-# Combine with the above parameter, this could also keep the authentication for a longer period than#-# the one of the external authenticator, but this is obviously less secure.# xwiki.authentication.trusted.persistenceStoreTTL=84600

#-# By default, on failure to find an authenticated user, the authentication fallback (to a custom fallback or#-# the default XWiki authentication). To prevent fallbacking, and return public access on failure to find an#-# authenticated user, simply uncomment:# xwiki.authentication.trusted.isAuthoritative=true

#-# Only applicable if the previous parameter is true, this allow defining the classname of the#-# XWikiAuthService to fallback to. By the fault, the authenticator fallback to the default XWikiAuthService#-# implementation, and you should not uncomment the following with targetting another service, since it will#-# just have a negative performance impact.# xwiki.authentication.trusted.fallbackAuthenticator=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl

#-# Define the letter case transformation that needs to be applied on username provided by the adapter#-# to create the name of the user profile page. This letter case transformation is done first, before the#-# replacements defined in the next parameter. The default is to lowercase the username.#-# Possible transformation are: lowercase (default), uppercase, titlecase, none# xwiki.authentication.trusted.userProfileCase=none

#-# Define characters or substring replacements to be applied on the username provided by the adapter after#-# the above case transformation, to create the name of the user profile page. Replacement are of the form#-# find=replace and separated by pipes. The default is to not make any replacement#-# Before the introduction of this parameter, the default was different, you can reactivate it by uncommenting:# xwiki.authentication.trusted.userProfileReplacements=.==|@=_

#-# Mapping between XWiki group name and external authentication role name.#-# Mapping are separated with the pipe character, and the same XWiki group can be mapped multiple times to#-# different external roles.# xwiki.authentication.trusted.groupsMapping=XWiki.XWikiGroupA=groupA|XWiki.XWikiGroupB=groupB|XWiki.XWikiGroupA=groupAbis

XWikiPreferences

While not recommended, it's also possible to put any of theses configuration in the XWiki.XWikiPreferences object in the XWiki.XWikiPreferences page of the main wiki. Add a string field with the proper name to the class and put the value you want.

The fields names are not exactly the same, you have to change xwiki.authentication.trusted. prefix to trustedauth_:

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.